Learn about PIAs
Learn about PIAs
Privacy Impact Assessment (PIA)
British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) requires public bodies such as UBC to conduct a Privacy Impact Assessment (PIA) for all new or substantially modified systems, projects, programs, or activities (hereinafter referred to as “Projects”). A PIA is a risk management and compliance review process used to identify and address potential privacy and security issues, thus avoiding costly program, service, or process redesign and minimizing exposure to potential privacy or security breaches.
Overall accountability for the PIA process required by FIPPA resides with the University Counsel, under whose guidance Risk Management Services (RMS) handles the PIA process. RMS has also developed a set of tools to support this process.
As UBC engages in a vast array of projects, it follows a risk-based approach to PIAs, which is summarized below.
Summary of UBC’s PIA Process
- Use the PIA Risk Classification Tool (RCT) to determine your project’s privacy and information security risk classification. Ensure your submission has as much detail as possible to maximize our understanding and ability to assist in risk identification and mitigation efforts.
- E-mail the completed RCT (irrespective of the results of the risk classification) to firstname.lastname@example.org for review by PIA team. A PIA reference number will be assigned to your submission, and an email acknowledging receipt of the submission or initial follow-up will be sent to you, normally within 2 to 4 business days.
- If your project’s risk classification is:
|Risk Level||Process Description|
|Low or Medium||
|High or Very High||
This process is used for low-complexity projects. Project teams should submit an RCT as early as possible during the planning phase of the project. The PIA team will apply an expedited process that is customized based on the complexity of the project and advise project teams on next steps.
This process is used for complex projects such as large system implementations affecting multiple functional areas. It is divided into three phases, namely, Concept, Architecture & System Selection, and Implementation. The project teams are required to submit an updated RCT in each of these phases. The PIA team will be involved in the discussions throughout the project lifecycle and advise project team on next steps.
For other important information in the PIA process, please refer to the Frequently Asked Questions below.
Frequently Asked Questions
What issues are addressed in a PIA?
The PIA process assesses the treatment of personal information (PI), which is defined as “any recorded information about identifiable individuals, with the exception of the names and business contact information of employees, volunteers and service providers”. Examples of questions that are asked in the PIA process:
- What is our legal authority to collect, use and disclose personal information?
- Is the collection, use, and disclosure of the particular personal information for a purpose that is consistent with the project as described?
- Is personal information stored, processed, and accessed within Canada?
- How is personal information protected from unauthorized use or disclosure?
- How long is the personal information retained?
How much time and effort does a PIA take to complete?
UBC’s risk-based approach to PIAs results in more extensive assessments of higher-risk projects to ensure key risks are identified and appropriate actions are taken. These higher-risk projects require the involvement of privacy and security staff who will review the PIA forms you submit and will provide guidance and assistance to help you address key privacy and security risks.
Review of higher-risk projects can follow either a multi-step or an accelerated process. The multi-step process is used for complex projects and spans all of the project life-cycle phases (Concept, Architecture & System Selection, and Implementation). The accelerated process is for projects that are lower complexity.
Any high-risk PIA that involves or results in data-linking between public bodies or agencies must also be reviewed with BC’s Office of the Information and Privacy Commissioner (BC OIPC). It is uncertain how long this review process will take, so you should allow plenty of time in these cases.
Conversely, while low-risk projects still need to comply with all relevant UBC privacy and security standards (including Privacy Fact Sheets, the Information Security Standards, and the Key Security and Privacy Risks & What “Good” Looks Like document), there is no need for you to wait for an independent assessment by central privacy and security personnel.
When do I have to start a PIA, using the Risk Classification Tool (RCT)?
You must use the RCT if you are responsible for a new project or an existing project that is being substantially modified (a “Project” is any system, project, process, program or activity that supports University business).
Start the PIA as early as possible in the project, as soon as the high-level objectives are understood. This helps to prevent substantial re-work and project delays. If factors in your project change, the RCT should be re-submitted.
Here are examples of substantial modifications that would require use of the RCT:
- new types of personal information will be collected
- significant changes will be made to the way personal information is used or disclosed
- personal information will be linked with information from third parties, another department or application
- system access is being changed so that new categories or groups of individuals will have access to personal information; e.g. granting access to other units within the department, other departments or external parties. Note: this does not include day-to-day or routine operational changes to access due to personnel changes.
- storage or access to personal information is being moved outside Canada, or to a vendor or cloud service
- management or security of the personal information will be outsourced
- the retention period for personal information will be changed
What additional information do you require from project teams / vendors to complete the PIA review?
The PIA team may require additional information from project teams to assess compliance with British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) and UBC information security requirements. The following information may be requested, as applicable:
- Third-party attestation reports such as SOC reports, ISO 27001 etc.
- Data flow diagrams
- Privacy / security clauses in contracts / agreements with vendors and other third parties
- Validation of adherence to privacy and security requirements through testing and other methods
What additional documents or tools are used in the PIA review process?
The PIA team utilizes various tools and documents as part of the PIA review process, depending on the project type and stage. Below is a visual representation of the tools/documents used. Visit the RMS website to download the most recent version of each.
|PIA Process Lifecyle|
|Concept||Architecture & System Selection||Implementation|
|Software as a service||Risk Classification Tool (RCT)||Privacy and Information Security Requirements & Risk Assessment
Privacy and Security Solutions and Services Integration Checklist
|On-premise vendor solution||Application Risk Assessment
|On-premise developed/heavily customized solution||N/A|
Can we share PIAs with other organizations?
Sharing the results of your PIA internally within UBC is acceptable. However, all requests from external individuals or organizations for results of PIAs should be treated as Freedom of Information (FOI) requests, as they may contain sensitive information. Do not respond to or acknowledge the request yourself, but rather forward the request to:
Freedom of Information Specialist
The University of British Columbia
Office of the University Counsel
6328 Memorial Road
Vancouver, BC V6T 1Z2
Are research projects treated differently?
Yes. Generally speaking, a PIA is not required for academic research projects. However, there are certain circumstances when a security assessment may be required for tools that you may use to store and protect personal information during academic research. Please reach out to email@example.com for more information.
What are the consequences of not doing a PIA?
A PIA is a legal requirement of British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) and not doing one results in non-compliance with legal and regulatory requirements. A PIA helps identify and build privacy and security requirements in advance thereby helping projects avoid costly program, service or process redesign and minimize exposure to potential privacy or security breaches.